1. 31 May, 2019 4 commits
    • Linus Lüssing's avatar
      batman-adv: allow updating DAT entry timeouts on incoming ARP Replies · 504eff55
      Linus Lüssing authored
      [ Upstream commit 099e6cc1582dc2903fecb898bbeae8f7cf4262c7 ]
      
      Currently incoming ARP Replies, for example via a DHT-PUT message, do
      not update the timeout for an already existing DAT entry. These ARP
      Replies are dropped instead.
      
      This however defeats the purpose of the DHCPACK snooping, for instance.
      Right now, a DAT entry in the DHT will be purged every five minutes,
      likely leading to a mesh-wide ARP Request broadcast after this timeout.
      Which then recreates the entry. The idea of the DHCPACK snooping is to
      be able to update an entry before a timeout happens, to avoid ARP Request
      flooding.
      
      This patch fixes this issue by updating a DAT entry on incoming
      ARP Replies even if a matching DAT entry already exists. While still
      filtering the ARP Reply towards the soft-interface, to avoid duplicate
      messages on the client device side.
      Signed-off-by: 's avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Acked-by: 's avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: 's avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: 's avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      504eff55
    • Sergey Matyukevich's avatar
      mac80211/cfg80211: update bss channel on channel switch · f213a1d5
      Sergey Matyukevich authored
      [ Upstream commit 5dc8cdce1d722c733f8c7af14c5fb595cfedbfa8 ]
      
      FullMAC STAs have no way to update bss channel after CSA channel switch
      completion. As a result, user-space tools may provide inconsistent
      channel info. For instance, consider the following two commands:
      $ sudo iw dev wlan0 link
      $ sudo iw dev wlan0 info
      The latter command gets channel info from the hardware, so most probably
      its output will be correct. However the former command gets channel info
      from scan cache, so its output will contain outdated channel info.
      In fact, current bss channel info will not be updated until the
      next [re-]connect.
      
      Note that mac80211 STAs have a workaround for this, but it requires
      access to internal cfg80211 data, see ieee80211_chswitch_work:
      
      	/* XXX: shouldn't really modify cfg80211-owned data! */
      	ifmgd->associated->channel = sdata->csa_chandef.chan;
      
      This patch suggests to convert mac80211 workaround into cfg80211 behavior
      and to update current bss channel in cfg80211_ch_switch_notify.
      Signed-off-by: 's avatarSergey Matyukevich <sergey.matyukevich.os@quantenna.com>
      Signed-off-by: 's avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      f213a1d5
    • William Tu's avatar
      net: erspan: fix use-after-free · 1d629bf9
      William Tu authored
      commit b423d13c08a656c719fa56324a8f4279c835d90c upstream.
      
      When building the erspan header for either v1 or v2, the eth_hdr()
      does not point to the right inner packet's eth_hdr,
      causing kasan report use-after-free and slab-out-of-bouds read.
      
      The patch fixes the following syzkaller issues:
      [1] BUG: KASAN: slab-out-of-bounds in erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
      [2] BUG: KASAN: slab-out-of-bounds in erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
      [3] BUG: KASAN: use-after-free in erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
      [4] BUG: KASAN: use-after-free in erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
      
      [2] CPU: 0 PID: 3654 Comm: syzkaller377964 Not tainted 4.15.0-rc9+ #185
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x194/0x257 lib/dump_stack.c:53
       print_address_description+0x73/0x250 mm/kasan/report.c:252
       kasan_report_error mm/kasan/report.c:351 [inline]
       kasan_report+0x25b/0x340 mm/kasan/report.c:409
       __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
       erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
       erspan_xmit+0x3b8/0x13b0 net/ipv4/ip_gre.c:740
       __netdev_start_xmit include/linux/netdevice.h:4042 [inline]
       netdev_start_xmit include/linux/netdevice.h:4051 [inline]
       packet_direct_xmit+0x315/0x6b0 net/packet/af_packet.c:266
       packet_snd net/packet/af_packet.c:2943 [inline]
       packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2968
       sock_sendmsg_nosec net/socket.c:638 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:648
       SYSC_sendto+0x361/0x5c0 net/socket.c:1729
       SyS_sendto+0x40/0x50 net/socket.c:1697
       do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
       do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
       entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129
      RIP: 0023:0xf7fcfc79
      RSP: 002b:00000000ffc6976c EFLAGS: 00000286 ORIG_RAX: 0000000000000171
      RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020011000
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020008000
      RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      
      Fixes: f551c91de262 ("net: erspan: introduce erspan v2 for ip_gre")
      Fixes: 84e54fe0 ("gre: introduce native tunnel support for ERSPAN")
      Reported-by: syzbot+9723f2d288e49b492cf0@syzkaller.appspotmail.com
      Reported-by: syzbot+f0ddeb2b032a8e1d9098@syzkaller.appspotmail.com
      Reported-by: syzbot+f14b3703cd8d7670203f@syzkaller.appspotmail.com
      Reported-by: syzbot+eefa384efad8d7997f20@syzkaller.appspotmail.com
      Signed-off-by: 's avatarWilliam Tu <u9012063@gmail.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarChristoph Paasch <cpaasch@apple.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d629bf9
    • Linus Lüssing's avatar
      batman-adv: mcast: fix multicast tt/tvlv worker locking · 3b61016d
      Linus Lüssing authored
      commit a3c7cd0cdf1107f891aff847ad481e34df727055 upstream.
      
      Syzbot has reported some issues with the locking assumptions made for
      the multicast tt/tvlv worker: It was able to trigger the WARN_ON() in
      batadv_mcast_mla_tt_retract() and batadv_mcast_mla_tt_add().
      While hard/not reproduceable for us so far it seems that the
      delayed_work_pending() we use might not be quite safe from reordering.
      
      Therefore this patch adds an explicit, new spinlock to protect the
      update of the mla_list and flags in bat_priv and then removes the
      WARN_ON(delayed_work_pending()).
      
      Reported-by: syzbot+83f2d54ec6b7e417e13f@syzkaller.appspotmail.com
      Reported-by: syzbot+050927a651272b145a5d@syzkaller.appspotmail.com
      Reported-by: syzbot+979ffc89b87309b1b94b@syzkaller.appspotmail.com
      Reported-by: syzbot+f9f3f388440283da2965@syzkaller.appspotmail.com
      Fixes: cbebd363 ("batman-adv: Use own timer for multicast TT and TVLV updates")
      Signed-off-by: 's avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: 's avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: 's avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3b61016d
  2. 25 May, 2019 11 commits
    • Bhagavathi Perumal S's avatar
      mac80211: Fix kernel panic due to use of txq after free · e28b4dc4
      Bhagavathi Perumal S authored
      [ Upstream commit f1267cf3c01b12e0f843fb6a7450a7f0b2efab8a ]
      
      The txq of vif is added to active_txqs list for ATF TXQ scheduling
      in the function ieee80211_queue_skb(), but it was not properly removed
      before freeing the txq object. It was causing use after free of the txq
      objects from the active_txqs list, result was kernel panic
      due to invalid memory access.
      
      Fix kernel invalid memory access by properly removing txq object
      from active_txqs list before free the object.
      Signed-off-by: 's avatarBhagavathi Perumal S <bperumal@codeaurora.org>
      Acked-by: 's avatarToke Høiland-Jørgensen <toke@redhat.com>
      Signed-off-by: 's avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      e28b4dc4
    • Steffen Klassert's avatar
      xfrm4: Fix uninitialized memory read in _decode_session4 · d5690231
      Steffen Klassert authored
      [ Upstream commit 8742dc86d0c7a9628117a989c11f04a9b6b898f3 ]
      
      We currently don't reload pointers pointing into skb header
      after doing pskb_may_pull() in _decode_session4(). So in case
      pskb_may_pull() changed the pointers, we read from random
      memory. Fix this by putting all the needed infos on the
      stack, so that we don't need to access the header pointers
      after doing pskb_may_pull().
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: 's avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      d5690231
    • Sabrina Dubroca's avatar
      esp4: add length check for UDP encapsulation · cb7adeca
      Sabrina Dubroca authored
      [ Upstream commit 8dfb4eba4100e7cdd161a8baef2d8d61b7a7e62e ]
      
      esp_output_udp_encap can produce a length that doesn't fit in the 16
      bits of a UDP header's length field. In that case, we'll send a
      fragmented packet whose length is larger than IP_MAX_MTU (resulting in
      "Oversized IP packet" warnings on receive) and with a bogus UDP
      length.
      
      To prevent this, add a length check to esp_output_udp_encap and return
       -EMSGSIZE on failure.
      
      This seems to be older than git history.
      Signed-off-by: 's avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: 's avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      cb7adeca
    • Jeremy Sowden's avatar
      vti4: ipip tunnel deregistration fixes. · e2f610b3
      Jeremy Sowden authored
      [ Upstream commit 5483844c3fc18474de29f5d6733003526e0a9f78 ]
      
      If tunnel registration failed during module initialization, the module
      would fail to deregister the IPPROTO_COMP protocol and would attempt to
      deregister the tunnel.
      
      The tunnel was not deregistered during module-exit.
      
      Fixes: dd9ee3444014e ("vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel")
      Signed-off-by: 's avatarJeremy Sowden <jeremy@azazel.net>
      Signed-off-by: 's avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      e2f610b3
    • Su Yanjun's avatar
      xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module · fd29be8b
      Su Yanjun authored
      [ Upstream commit 6ee02a54ef990a71bf542b6f0a4e3321de9d9c66 ]
      
      When unloading xfrm6_tunnel module, xfrm6_tunnel_fini directly
      frees the xfrm6_tunnel_spi_kmem. Maybe someone has gotten the
      xfrm6_tunnel_spi, so need to wait it.
      
      Fixes: 91cc3bb0("xfrm6_tunnel: RCU conversion")
      Signed-off-by: 's avatarSu Yanjun <suyj.fnst@cn.fujitsu.com>
      Acked-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: 's avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      fd29be8b
    • YueHaibing's avatar
      xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink · 1a2bb512
      YueHaibing authored
      [ Upstream commit b805d78d300bcf2c83d6df7da0c818b0fee41427 ]
      
      UBSAN report this:
      
      UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24
      index 6 is out of range for type 'unsigned int [6]'
      CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
       0000000000000000 1466cf39b41b23c9 ffff8801f6b07a58 ffffffff81cb35f4
       0000000041b58ab3 ffffffff83230f9c ffffffff81cb34e0 ffff8801f6b07a80
       ffff8801f6b07a20 1466cf39b41b23c9 ffffffff851706e0 ffff8801f6b07ae8
      Call Trace:
       <IRQ>  [<ffffffff81cb35f4>] __dump_stack lib/dump_stack.c:15 [inline]
       <IRQ>  [<ffffffff81cb35f4>] dump_stack+0x114/0x1a0 lib/dump_stack.c:51
       [<ffffffff81d94225>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164
       [<ffffffff81d954db>] __ubsan_handle_out_of_bounds+0x16e/0x1b2 lib/ubsan.c:382
       [<ffffffff82a25acd>] __xfrm_policy_unlink+0x3dd/0x5b0 net/xfrm/xfrm_policy.c:1289
       [<ffffffff82a2e572>] xfrm_policy_delete+0x52/0xb0 net/xfrm/xfrm_policy.c:1309
       [<ffffffff82a3319b>] xfrm_policy_timer+0x30b/0x590 net/xfrm/xfrm_policy.c:243
       [<ffffffff813d3927>] call_timer_fn+0x237/0x990 kernel/time/timer.c:1144
       [<ffffffff813d8e7e>] __run_timers kernel/time/timer.c:1218 [inline]
       [<ffffffff813d8e7e>] run_timer_softirq+0x6ce/0xb80 kernel/time/timer.c:1401
       [<ffffffff8120d6f9>] __do_softirq+0x299/0xe10 kernel/softirq.c:273
       [<ffffffff8120e676>] invoke_softirq kernel/softirq.c:350 [inline]
       [<ffffffff8120e676>] irq_exit+0x216/0x2c0 kernel/softirq.c:391
       [<ffffffff82c5edab>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
       [<ffffffff82c5edab>] smp_apic_timer_interrupt+0x8b/0xc0 arch/x86/kernel/apic/apic.c:926
       [<ffffffff82c5c985>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:735
       <EOI>  [<ffffffff81188096>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:52
       [<ffffffff810834d7>] arch_safe_halt arch/x86/include/asm/paravirt.h:111 [inline]
       [<ffffffff810834d7>] default_idle+0x27/0x430 arch/x86/kernel/process.c:446
       [<ffffffff81085f05>] arch_cpu_idle+0x15/0x20 arch/x86/kernel/process.c:437
       [<ffffffff8132abc3>] default_idle_call+0x53/0x90 kernel/sched/idle.c:92
       [<ffffffff8132b32d>] cpuidle_idle_call kernel/sched/idle.c:156 [inline]
       [<ffffffff8132b32d>] cpu_idle_loop kernel/sched/idle.c:251 [inline]
       [<ffffffff8132b32d>] cpu_startup_entry+0x60d/0x9a0 kernel/sched/idle.c:299
       [<ffffffff8113e119>] start_secondary+0x3c9/0x560 arch/x86/kernel/smpboot.c:245
      
      The issue is triggered as this:
      
      xfrm_add_policy
          -->verify_newpolicy_info  //check the index provided by user with XFRM_POLICY_MAX
      			      //In my case, the index is 0x6E6BB6, so it pass the check.
          -->xfrm_policy_construct  //copy the user's policy and set xfrm_policy_timer
          -->xfrm_policy_insert
      	--> __xfrm_policy_link //use the orgin dir, in my case is 2
      	--> xfrm_gen_index   //generate policy index, there is 0x6E6BB6
      
      then xfrm_policy_timer be fired
      
      xfrm_policy_timer
         --> xfrm_policy_id2dir  //get dir from (policy index & 7), in my case is 6
         --> xfrm_policy_delete
            --> __xfrm_policy_unlink //access policy_count[dir], trigger out of range access
      
      Add xfrm_policy_id2dir check in verify_newpolicy_info, make sure the computed dir is
      valid, to fix the issue.
      Reported-by: 's avatarHulk Robot <hulkci@huawei.com>
      Fixes: e682adf0 ("xfrm: Try to honor policy index if it's supplied by user")
      Signed-off-by: 's avatarYueHaibing <yuehaibing@huawei.com>
      Acked-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: 's avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      1a2bb512
    • Jorge E. Moreira's avatar
      vsock/virtio: Initialize core virtio vsock before registering the driver · 545daadb
      Jorge E. Moreira authored
      [ Upstream commit ba95e5dfd36647622d8897a2a0470dde60e59ffd ]
      
      Avoid a race in which static variables in net/vmw_vsock/af_vsock.c are
      accessed (while handling interrupts) before they are initialized.
      
      [    4.201410] BUG: unable to handle kernel paging request at ffffffffffffffe8
      [    4.207829] IP: vsock_addr_equals_addr+0x3/0x20
      [    4.211379] PGD 28210067 P4D 28210067 PUD 28212067 PMD 0
      [    4.211379] Oops: 0000 [#1] PREEMPT SMP PTI
      [    4.211379] Modules linked in:
      [    4.211379] CPU: 1 PID: 30 Comm: kworker/1:1 Not tainted 4.14.106-419297-gd7e28cc1f241 #1
      [    4.211379] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
      [    4.211379] Workqueue: virtio_vsock virtio_transport_rx_work
      [    4.211379] task: ffffa3273d175280 task.stack: ffffaea1800e8000
      [    4.211379] RIP: 0010:vsock_addr_equals_addr+0x3/0x20
      [    4.211379] RSP: 0000:ffffaea1800ebd28 EFLAGS: 00010286
      [    4.211379] RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffffffffb94e42f0
      [    4.211379] RDX: 0000000000000400 RSI: ffffffffffffffe0 RDI: ffffaea1800ebdd0
      [    4.211379] RBP: ffffaea1800ebd58 R08: 0000000000000001 R09: 0000000000000001
      [    4.211379] R10: 0000000000000000 R11: ffffffffb89d5d60 R12: ffffaea1800ebdd0
      [    4.211379] R13: 00000000828cbfbf R14: 0000000000000000 R15: ffffaea1800ebdc0
      [    4.211379] FS:  0000000000000000(0000) GS:ffffa3273fd00000(0000) knlGS:0000000000000000
      [    4.211379] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    4.211379] CR2: ffffffffffffffe8 CR3: 000000002820e001 CR4: 00000000001606e0
      [    4.211379] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [    4.211379] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [    4.211379] Call Trace:
      [    4.211379]  ? vsock_find_connected_socket+0x6c/0xe0
      [    4.211379]  virtio_transport_recv_pkt+0x15f/0x740
      [    4.211379]  ? detach_buf+0x1b5/0x210
      [    4.211379]  virtio_transport_rx_work+0xb7/0x140
      [    4.211379]  process_one_work+0x1ef/0x480
      [    4.211379]  worker_thread+0x312/0x460
      [    4.211379]  kthread+0x132/0x140
      [    4.211379]  ? process_one_work+0x480/0x480
      [    4.211379]  ? kthread_destroy_worker+0xd0/0xd0
      [    4.211379]  ret_from_fork+0x35/0x40
      [    4.211379] Code: c7 47 08 00 00 00 00 66 c7 07 28 00 c7 47 08 ff ff ff ff c7 47 04 ff ff ff ff c3 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 8b 47 08 <3b> 46 08 75 0a 8b 47 04 3b 46 04 0f 94 c0 c3 31 c0 c3 90 66 2e
      [    4.211379] RIP: vsock_addr_equals_addr+0x3/0x20 RSP: ffffaea1800ebd28
      [    4.211379] CR2: ffffffffffffffe8
      [    4.211379] ---[ end trace f31cc4a2e6df3689 ]---
      [    4.211379] Kernel panic - not syncing: Fatal exception in interrupt
      [    4.211379] Kernel Offset: 0x37000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      [    4.211379] Rebooting in 5 seconds..
      
      Fixes: 22b5c0b63f32 ("vsock/virtio: fix kernel panic after device hot-unplug")
      Cc: Stefan Hajnoczi <stefanha@redhat.com>
      Cc: Stefano Garzarella <sgarzare@redhat.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: kvm@vger.kernel.org
      Cc: virtualization@lists.linux-foundation.org
      Cc: netdev@vger.kernel.org
      Cc: kernel-team@android.com
      Cc: stable@vger.kernel.org [4.9+]
      Signed-off-by: 's avatarJorge E. Moreira <jemoreira@google.com>
      Reviewed-by: 's avatarStefano Garzarella <sgarzare@redhat.com>
      Reviewed-by: 's avatarStefan Hajnoczi <stefanha@redhat.com>
      Acked-by: 's avatarStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      545daadb
    • Junwei Hu's avatar
      tipc: fix modprobe tipc failed after switch order of device registration · 403eac97
      Junwei Hu authored
      [ Upstream commit 532b0f7ece4cb2ffd24dc723ddf55242d1188e5e ]
      
      Error message printed:
      modprobe: ERROR: could not insert 'tipc': Address family not
      supported by protocol.
      when modprobe tipc after the following patch: switch order of
      device registration, commit 7e27e8d6130c
      ("tipc: switch order of device registration to fix a crash")
      
      Because sock_create_kern(net, AF_TIPC, ...) is called by
      tipc_topsrv_create_listener() in the initialization process
      of tipc_net_ops, tipc_socket_init() must be execute before that.
      
      I move tipc_socket_init() into function tipc_init_net().
      
      Fixes: 7e27e8d6130c
      ("tipc: switch order of device registration to fix a crash")
      Signed-off-by: 's avatarJunwei Hu <hujunwei4@huawei.com>
      Reported-by: 's avatarWang Wang <wangwang2@huawei.com>
      Reviewed-by: 's avatarKang Zhou <zhoukang7@huawei.com>
      Reviewed-by: 's avatarSuanming Mou <mousuanming@huawei.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      403eac97
    • Stefano Garzarella's avatar
      vsock/virtio: free packets during the socket release · 4e539fa2
      Stefano Garzarella authored
      [ Upstream commit ac03046ece2b158ebd204dfc4896fd9f39f0e6c8 ]
      
      When the socket is released, we should free all packets
      queued in the per-socket list in order to avoid a memory
      leak.
      Signed-off-by: 's avatarStefano Garzarella <sgarzare@redhat.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4e539fa2
    • Junwei Hu's avatar
      tipc: switch order of device registration to fix a crash · af4af68d
      Junwei Hu authored
      [ Upstream commit 7e27e8d6130c5e88fac9ddec4249f7f2337fe7f8 ]
      
      When tipc is loaded while many processes try to create a TIPC socket,
      a crash occurs:
       PANIC: Unable to handle kernel paging request at virtual
       address "dfff20000000021d"
       pc : tipc_sk_create+0x374/0x1180 [tipc]
       lr : tipc_sk_create+0x374/0x1180 [tipc]
         Exception class = DABT (current EL), IL = 32 bits
       Call trace:
        tipc_sk_create+0x374/0x1180 [tipc]
        __sock_create+0x1cc/0x408
        __sys_socket+0xec/0x1f0
        __arm64_sys_socket+0x74/0xa8
       ...
      
      This is due to race between sock_create and unfinished
      register_pernet_device. tipc_sk_insert tries to do
      "net_generic(net, tipc_net_id)".
      but tipc_net_id is not initialized yet.
      
      So switch the order of the two to close the race.
      
      This can be reproduced with multiple processes doing socket(AF_TIPC, ...)
      and one process doing module removal.
      
      Fixes: a62fbcce ("tipc: make subscriber server support net namespace")
      Signed-off-by: 's avatarJunwei Hu <hujunwei4@huawei.com>
      Reported-by: 's avatarWang Wang <wangwang2@huawei.com>
      Reviewed-by: 's avatarXiaogang Wang <wangxiaogang3@huawei.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af4af68d
    • Eric Dumazet's avatar
      net: avoid weird emergency message · a1e1577d
      Eric Dumazet authored
      [ Upstream commit d7c04b05c9ca14c55309eb139430283a45c4c25f ]
      
      When host is under high stress, it is very possible thread
      running netdev_wait_allrefs() returns from msleep(250)
      10 seconds late.
      
      This leads to these messages in the syslog :
      
      [...] unregister_netdevice: waiting for syz_tun to become free. Usage count = 0
      
      If the device refcount is zero, the wait is over.
      Signed-off-by: 's avatarEric Dumazet <edumazet@google.com>
      Reported-by: 's avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a1e1577d
  3. 21 May, 2019 1 commit
  4. 16 May, 2019 19 commits
    • Parthasarathy Bhuvaragan's avatar
      tipc: fix hanging clients using poll with EPOLLOUT flag · 8cb80eb1
      Parthasarathy Bhuvaragan authored
      [ Upstream commit ff946833b70e0c7f93de9a3f5b329b5ae2287b38 ]
      
      commit 517d7c79bdb398 ("tipc: fix hanging poll() for stream sockets")
      introduced a regression for clients using non-blocking sockets.
      After the commit, we send EPOLLOUT event to the client even in
      TIPC_CONNECTING state. This causes the subsequent send() to fail
      with ENOTCONN, as the socket is still not in TIPC_ESTABLISHED state.
      
      In this commit, we:
      - improve the fix for hanging poll() by replacing sk_data_ready()
        with sk_state_change() to wake up all clients.
      - revert the faulty updates introduced by commit 517d7c79bdb398
        ("tipc: fix hanging poll() for stream sockets").
      
      Fixes: 517d7c79bdb398 ("tipc: fix hanging poll() for stream sockets")
      Signed-off-by: 's avatarParthasarathy Bhuvaragan <parthasarathy.bhuvaragan@gmail.com>
      Acked-by: 's avatarJon Maloy <jon.maloy@ericsson.se>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8cb80eb1
    • Stephen Suryaputra's avatar
      vrf: sit mtu should not be updated when vrf netdev is the link · 4911bfb0
      Stephen Suryaputra authored
      [ Upstream commit ff6ab32bd4e073976e4d8797b4d514a172cfe6cb ]
      
      VRF netdev mtu isn't typically set and have an mtu of 65536. When the
      link of a tunnel is set, the tunnel mtu is changed from 1480 to the link
      mtu minus tunnel header. In the case of VRF netdev is the link, then the
      tunnel mtu becomes 65516. So, fix it by not setting the tunnel mtu in
      this case.
      Signed-off-by: 's avatarStephen Suryaputra <ssuryaextr@gmail.com>
      Reviewed-by: 's avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4911bfb0
    • Hangbin Liu's avatar
      vlan: disable SIOCSHWTSTAMP in container · 64651ef9
      Hangbin Liu authored
      [ Upstream commit 873017af778439f2f8e3d87f28ddb1fcaf244a76 ]
      
      With NET_ADMIN enabled in container, a normal user could be mapped to
      root and is able to change the real device's rx filter via ioctl on
      vlan, which would affect the other ptp process on host. Fix it by
      disabling SIOCSHWTSTAMP in container.
      
      Fixes: a6111d3c ("vlan: Pass SIOC[SG]HWTSTAMP ioctls to real device")
      Signed-off-by: 's avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: 's avatarRichard Cochran <richardcochran@gmail.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64651ef9
    • YueHaibing's avatar
      packet: Fix error path in packet_init · 078b5592
      YueHaibing authored
      [ Upstream commit 36096f2f4fa05f7678bc87397665491700bae757 ]
      
      kernel BUG at lib/list_debug.c:47!
      invalid opcode: 0000 [#1
      CPU: 0 PID: 12914 Comm: rmmod Tainted: G        W         5.1.0+ #47
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
      RIP: 0010:__list_del_entry_valid+0x53/0x90
      Code: 48 8b 32 48 39 fe 75 35 48 8b 50 08 48 39 f2 75 40 b8 01 00 00 00 5d c3 48
      89 fe 48 89 c2 48 c7 c7 18 75 fe 82 e8 cb 34 78 ff <0f> 0b 48 89 fe 48 c7 c7 50 75 fe 82 e8 ba 34 78 ff 0f 0b 48 89 f2
      RSP: 0018:ffffc90001c2fe40 EFLAGS: 00010286
      RAX: 000000000000004e RBX: ffffffffa0184000 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: ffff888237a17788 RDI: 00000000ffffffff
      RBP: ffffc90001c2fe40 R08: 0000000000000000 R09: 0000000000000000
      R10: ffffc90001c2fe10 R11: 0000000000000000 R12: 0000000000000000
      R13: ffffc90001c2fe50 R14: ffffffffa0184000 R15: 0000000000000000
      FS:  00007f3d83634540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000555c350ea818 CR3: 0000000231677000 CR4: 00000000000006f0
      Call Trace:
       unregister_pernet_operations+0x34/0x120
       unregister_pernet_subsys+0x1c/0x30
       packet_exit+0x1c/0x369 [af_packet
       __x64_sys_delete_module+0x156/0x260
       ? lockdep_hardirqs_on+0x133/0x1b0
       ? do_syscall_64+0x12/0x1f0
       do_syscall_64+0x6e/0x1f0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      When modprobe af_packet, register_pernet_subsys
      fails and does a cleanup, ops->list is set to LIST_POISON1,
      but the module init is considered to success, then while rmmod it,
      BUG() is triggered in __list_del_entry_valid which is called from
      unregister_pernet_subsys. This patch fix error handing path in
      packet_init to avoid possilbe issue if some error occur.
      Reported-by: 's avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: 's avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      078b5592
    • YueHaibing's avatar
      net: dsa: Fix error cleanup path in dsa_init_module · 77df11da
      YueHaibing authored
      [ Upstream commit 68be930249d051fd54d3d99156b3dcadcb2a1f9b ]
      
      BUG: unable to handle kernel paging request at ffffffffa01c5430
      PGD 3270067 P4D 3270067 PUD 3271063 PMD 230bc5067 PTE 0
      Oops: 0000 [#1
      CPU: 0 PID: 6159 Comm: modprobe Not tainted 5.1.0+ #33
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
      RIP: 0010:raw_notifier_chain_register+0x16/0x40
      Code: 63 f8 66 90 e9 5d ff ff ff 90 90 90 90 90 90 90 90 90 90 90 55 48 8b 07 48 89 e5 48 85 c0 74 1c 8b 56 10 3b 50 10 7e 07 eb 12 <39> 50 10 7c 0d 48 8d 78 08 48 8b 40 08 48 85 c0 75 ee 48 89 46 08
      RSP: 0018:ffffc90001c33c08 EFLAGS: 00010282
      RAX: ffffffffa01c5420 RBX: ffffffffa01db420 RCX: 4fcef45928070a8b
      RDX: 0000000000000000 RSI: ffffffffa01db420 RDI: ffffffffa01b0068
      RBP: ffffc90001c33c08 R08: 000000003e0a33d0 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000094443661 R12: ffff88822c320700
      R13: ffff88823109be80 R14: 0000000000000000 R15: ffffc90001c33e78
      FS:  00007fab8bd08540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffa01c5430 CR3: 00000002297ea000 CR4: 00000000000006f0
      Call Trace:
       register_netdevice_notifier+0x43/0x250
       ? 0xffffffffa01e0000
       dsa_slave_register_notifier+0x13/0x70 [dsa_core
       ? 0xffffffffa01e0000
       dsa_init_module+0x2e/0x1000 [dsa_core
       do_one_initcall+0x6c/0x3cc
       ? do_init_module+0x22/0x1f1
       ? rcu_read_lock_sched_held+0x97/0xb0
       ? kmem_cache_alloc_trace+0x325/0x3b0
       do_init_module+0x5b/0x1f1
       load_module+0x1db1/0x2690
       ? m_show+0x1d0/0x1d0
       __do_sys_finit_module+0xc5/0xd0
       __x64_sys_finit_module+0x15/0x20
       do_syscall_64+0x6b/0x1d0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Cleanup allocated resourses if there are errors,
      otherwise it will trgger memleak.
      
      Fixes: c9eb3e0f ("net: dsa: Add support for learning FDB through notification")
      Signed-off-by: 's avatarYueHaibing <yuehaibing@huawei.com>
      Reviewed-by: 's avatarVivien Didelot <vivien.didelot@gmail.com>
      Reviewed-by: 's avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      77df11da
    • David Ahern's avatar
      ipv4: Fix raw socket lookup for local traffic · 4462659e
      David Ahern authored
      [ Upstream commit 19e4e768064a87b073a4b4c138b55db70e0cfb9f ]
      
      inet_iif should be used for the raw socket lookup. inet_iif considers
      rt_iif which handles the case of local traffic.
      
      As it stands, ping to a local address with the '-I <dev>' option fails
      ever since ping was changed to use SO_BINDTODEVICE instead of
      cmsg + IP_PKTINFO.
      
      IPv6 works fine.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: 's avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4462659e
    • Hangbin Liu's avatar
      fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied · aad6526b
      Hangbin Liu authored
      [ Upstream commit e9919a24d3022f72bcadc407e73a6ef17093a849 ]
      
      With commit 153380ec ("fib_rules: Added NLM_F_EXCL support to
      fib_nl_newrule") we now able to check if a rule already exists. But this
      only works with iproute2. For other tools like libnl, NetworkManager,
      it still could add duplicate rules with only NLM_F_CREATE flag, like
      
      [localhost ~ ]# ip rule
      0:      from all lookup local
      32766:  from all lookup main
      32767:  from all lookup default
      100000: from 192.168.7.5 lookup 5
      100000: from 192.168.7.5 lookup 5
      
      As it doesn't make sense to create two duplicate rules, let's just return
      0 if the rule exists.
      
      Fixes: 153380ec ("fib_rules: Added NLM_F_EXCL support to fib_nl_newrule")
      Reported-by: 's avatarThomas Haller <thaller@redhat.com>
      Signed-off-by: 's avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aad6526b
    • Tobin C. Harding's avatar
      bridge: Fix error path for kobject_init_and_add() · 100b03e8
      Tobin C. Harding authored
      [ Upstream commit bdfad5aec1392b93495b77b864d58d7f101dc1c1 ]
      
      Currently error return from kobject_init_and_add() is not followed by a
      call to kobject_put().  This means there is a memory leak.  We currently
      set p to NULL so that kfree() may be called on it as a noop, the code is
      arguably clearer if we move the kfree() up closer to where it is
      called (instead of after goto jump).
      
      Remove a goto label 'err1' and jump to call to kobject_put() in error
      return from kobject_init_and_add() fixing the memory leak.  Re-name goto
      label 'put_back' to 'err1' now that we don't use err1, following current
      nomenclature (err1, err2 ...).  Move call to kfree out of the error
      code at bottom of function up to closer to where memory was allocated.
      Add comment to clarify call to kfree().
      Signed-off-by: 's avatarTobin C. Harding <tobin@kernel.org>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      100b03e8
    • Dan Carpenter's avatar
      NFC: nci: Add some bounds checking in nci_hci_cmd_received() · 205db528
      Dan Carpenter authored
      [ Upstream commit d7ee81ad09f072eab1681877fc71ec05f9c1ae92 ]
      
      This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory
      corruption when handling SHDLC I-Frame commands").
      
      I'm not totally sure, but I think that commit description may have
      overstated the danger.  I was under the impression that this data came
      from the firmware?  If you can't trust your networking firmware, then
      you're already in trouble.
      
      Anyway, these days we add bounds checking where ever we can and we call
      it kernel hardening.  Better safe than sorry.
      
      Fixes: 11f54f22 ("NFC: nci: Add HCI over NCI protocol support")
      Signed-off-by: 's avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      205db528
    • Florian Westphal's avatar
      netfilter: nf_tables: warn when expr implements only one of activate/deactivate · f11935ef
      Florian Westphal authored
      [ Upstream commit 0ef235c71755c5f36c50282fcf2d7d08709be344 ]
      
      ->destroy is only allowed to free data, or do other cleanups that do not
      have side effects on other state, such as visibility to other netlink
      requests.
      
      Such things need to be done in ->deactivate.
      As a transaction can fail, we need to make sure we can undo such
      operations, therefore ->activate() has to be provided too.
      
      So print a warning and refuse registration if expr->ops provides
      only one of the two operations.
      
      v2: fix nft_expr_check_ops to not repeat same check twice (Jones Desougi)
      Signed-off-by: 's avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: 's avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      f11935ef
    • Cong Wang's avatar
      net_sched: fix two more memory leaks in cls_tcindex · cdf6680a
      Cong Wang authored
      [ Upstream commit 1db817e75f5b9387b8db11e37d5f0624eb9223e0 ]
      
      struct tcindex_filter_result contains two parts:
      struct tcf_exts and struct tcf_result.
      
      For the local variable 'cr', its exts part is never used but
      initialized without being released properly on success path. So
      just completely remove the exts part to fix this leak.
      
      For the local variable 'new_filter_result', it is never properly
      released if not used by 'r' on success path.
      
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: 's avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      cdf6680a
    • Paolo Abeni's avatar
      net: don't keep lonely packets forever in the gro hash · 82fd06fc
      Paolo Abeni authored
      [ Upstream commit 605108acfe6233b72e2f803aa1cb59a2af3001ca ]
      
      Eric noted that with UDP GRO and NAPI timeout, we could keep a single
      UDP packet inside the GRO hash forever, if the related NAPI instance
      calls napi_gro_complete() at an higher frequency than the NAPI timeout.
      Willem noted that even TCP packets could be trapped there, till the
      next retransmission.
      This patch tries to address the issue, flushing the old packets -
      those with a NAPI_GRO_CB age before the current jiffy - before scheduling
      the NAPI timeout. The rationale is that such a timeout should be
      well below a jiffy and we are not flushing packets eligible for sane GRO.
      
      v1  -> v2:
       - clarified the commit message and comment
      
      RFC -> v1:
       - added 'Fixes tags', cleaned-up the wording.
      Reported-by: 's avatarEric Dumazet <eric.dumazet@gmail.com>
      Fixes: 3b47d303 ("net: gro: add a per device gro flush timer")
      Signed-off-by: 's avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: 's avatarWillem de Bruijn <willemb@google.com>
      Acked-by: 's avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      82fd06fc
    • Florian Westphal's avatar
      netfilter: ctnetlink: don't use conntrack/expect object addresses as id · f862c13c
      Florian Westphal authored
      [ Upstream commit 3c79107631db1f7fd32cf3f7368e4672004a3010 ]
      
      else, we leak the addresses to userspace via ctnetlink events
      and dumps.
      
      Compute an ID on demand based on the immutable parts of nf_conn struct.
      
      Another advantage compared to using an address is that there is no
      immediate re-use of the same ID in case the conntrack entry is freed and
      reallocated again immediately.
      
      Fixes: 35832402 ("[NETFILTER]: nf_conntrack_expect: kill unique ID")
      Fixes: 7f85f914 ("[NETFILTER]: nf_conntrack: kill unique ID")
      Signed-off-by: 's avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: 's avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      f862c13c
    • Julian Anastasov's avatar
      ipvs: do not schedule icmp errors from tunnels · f3cab444
      Julian Anastasov authored
      [ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ]
      
      We can receive ICMP errors from client or from
      tunneling real server. While the former can be
      scheduled to real server, the latter should
      not be scheduled, they are decapsulated only when
      existing connection is found.
      
      Fixes: 6044eeff ("ipvs: attempt to schedule icmp packets")
      Signed-off-by: 's avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: 's avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: 's avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      f3cab444
    • Sunil Dutt's avatar
      nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands · 307c65e2
      Sunil Dutt authored
      [ Upstream commit d6db02a88a4aaa1cd7105137c67ddec7f3bdbc05 ]
      
      This commit adds NL80211_FLAG_CLEAR_SKB flag to other NL commands
      that carry key data to ensure they do not stick around on heap
      after the SKB is freed.
      
      Also introduced this flag for NL80211_CMD_VENDOR as there are sub
      commands which configure the keys.
      Signed-off-by: 's avatarSunil Dutt <usdutt@codeaurora.org>
      Signed-off-by: 's avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      307c65e2
    • Felix Fietkau's avatar
      mac80211: fix memory accounting with A-MSDU aggregation · e8eeb5e7
      Felix Fietkau authored
      [ Upstream commit eb9b64e3a9f8483e6e54f4e03b2ae14ae5db2690 ]
      
      skb->truesize can change due to memory reallocation or when adding extra
      fragments. Adjust fq->memory_usage accordingly
      Signed-off-by: 's avatarFelix Fietkau <nbd@nbd.name>
      Acked-by: 's avatarToke Høiland-Jørgensen <toke@redhat.com>
      Signed-off-by: 's avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      e8eeb5e7
    • Andrei Otcheretianski's avatar
      mac80211: Increase MAX_MSG_LEN · 4b4355aa
      Andrei Otcheretianski authored
      [ Upstream commit 78be2d21cc1cd3069c6138dcfecec62583130171 ]
      
      Looks that 100 chars isn't enough for messages, as we keep getting
      warnings popping from different places due to message shortening.
      Instead of trying to shorten the prints, just increase the buffer size.
      Signed-off-by: 's avatarAndrei Otcheretianski <andrei.otcheretianski@intel.com>
      Signed-off-by: 's avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: 's avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      4b4355aa
    • Felix Fietkau's avatar
      mac80211: fix unaligned access in mesh table hash function · ccc26e1f
      Felix Fietkau authored
      [ Upstream commit 40586e3fc400c00c11151804dcdc93f8c831c808 ]
      
      The pointer to the last four bytes of the address is not guaranteed to be
      aligned, so we need to use __get_unaligned_cpu32 here
      Signed-off-by: 's avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: 's avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      ccc26e1f
    • Francesco Ruggeri's avatar
      netfilter: compat: initialize all fields in xt_init · 2ea2ee85
      Francesco Ruggeri authored
      commit 8d29d16d21342a0c86405d46de0c4ac5daf1760f upstream
      
      If a non zero value happens to be in xt[NFPROTO_BRIDGE].cur at init
      time, the following panic can be caused by running
      
      % ebtables -t broute -F BROUTING
      
      from a 32-bit user level on a 64-bit kernel. This patch replaces
      kmalloc_array with kcalloc when allocating xt.
      
      [  474.680846] BUG: unable to handle kernel paging request at 0000000009600920
      [  474.687869] PGD 2037006067 P4D 2037006067 PUD 2038938067 PMD 0
      [  474.693838] Oops: 0000 [#1] SMP
      [  474.697055] CPU: 9 PID: 4662 Comm: ebtables Kdump: loaded Not tainted 4.19.17-11302235.AroraKernelnext.fc18.x86_64 #1
      [  474.707721] Hardware name: Supermicro X9DRT/X9DRT, BIOS 3.0 06/28/2013
      [  474.714313] RIP: 0010:xt_compat_calc_jump+0x2f/0x63 [x_tables]
      [  474.720201] Code: 40 0f b6 ff 55 31 c0 48 6b ff 70 48 03 3d dc 45 00 00 48 89 e5 8b 4f 6c 4c 8b 47 60 ff c9 39 c8 7f 2f 8d 14 08 d1 fa 48 63 fa <41> 39 34 f8 4c 8d 0c fd 00 00 00 00 73 05 8d 42 01 eb e1 76 05 8d
      [  474.739023] RSP: 0018:ffffc9000943fc58 EFLAGS: 00010207
      [  474.744296] RAX: 0000000000000000 RBX: ffffc90006465000 RCX: 0000000002580249
      [  474.751485] RDX: 00000000012c0124 RSI: fffffffff7be17e9 RDI: 00000000012c0124
      [  474.758670] RBP: ffffc9000943fc58 R08: 0000000000000000 R09: ffffffff8117cf8f
      [  474.765855] R10: ffffc90006477000 R11: 0000000000000000 R12: 0000000000000001
      [  474.773048] R13: 0000000000000000 R14: ffffc9000943fcb8 R15: ffffc9000943fcb8
      [  474.780234] FS:  0000000000000000(0000) GS:ffff88a03f840000(0063) knlGS:00000000f7ac7700
      [  474.788612] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
      [  474.794632] CR2: 0000000009600920 CR3: 0000002037422006 CR4: 00000000000606e0
      [  474.802052] Call Trace:
      [  474.804789]  compat_do_replace+0x1fb/0x2a3 [ebtables]
      [  474.810105]  compat_do_ebt_set_ctl+0x69/0xe6 [ebtables]
      [  474.815605]  ? try_module_get+0x37/0x42
      [  474.819716]  compat_nf_setsockopt+0x4f/0x6d
      [  474.824172]  compat_ip_setsockopt+0x7e/0x8c
      [  474.828641]  compat_raw_setsockopt+0x16/0x3a
      [  474.833220]  compat_sock_common_setsockopt+0x1d/0x24
      [  474.838458]  __compat_sys_setsockopt+0x17e/0x1b1
      [  474.843343]  ? __check_object_size+0x76/0x19a
      [  474.847960]  __ia32_compat_sys_socketcall+0x1cb/0x25b
      [  474.853276]  do_fast_syscall_32+0xaf/0xf6
      [  474.857548]  entry_SYSENTER_compat+0x6b/0x7a
      Signed-off-by: 's avatarFrancesco Ruggeri <fruggeri@arista.com>
      Acked-by: 's avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: 's avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: 's avatarZubin Mithra <zsm@chromium.org>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      2ea2ee85
  5. 10 May, 2019 2 commits
  6. 08 May, 2019 3 commits
    • Sven Eckelmann's avatar
      batman-adv: Reduce tt_global hash refcnt only for removed entry · 82000f00
      Sven Eckelmann authored
      [ Upstream commit f131a56880d10932931e74773fb8702894a94a75 ]
      
      The batadv_hash_remove is a function which searches the hashtable for an
      entry using a needle, a hashtable bucket selection function and a compare
      function. It will lock the bucket list and delete an entry when the compare
      function matches it with the needle. It returns the pointer to the
      hlist_node which matches or NULL when no entry matches the needle.
      
      The batadv_tt_global_free is not itself protected in anyway to avoid that
      any other function is modifying the hashtable between the search for the
      entry and the call to batadv_hash_remove. It can therefore happen that the
      entry either doesn't exist anymore or an entry was deleted which is not the
      same object as the needle. In such an situation, the reference counter (for
      the reference stored in the hashtable) must not be reduced for the needle.
      Instead the reference counter of the actually removed entry has to be
      reduced.
      
      Otherwise the reference counter will underflow and the object might be
      freed before all its references were dropped. The kref helpers reported
      this problem as:
      
        refcount_t: underflow; use-after-free.
      
      Fixes: 7683fdc1 ("batman-adv: protect the local and the global trans-tables with rcu")
      Reported-by: 's avatarMartin Weinelt <martin@linuxlounge.net>
      Signed-off-by: 's avatarSven Eckelmann <sven@narfation.org>
      Acked-by: 's avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: 's avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      82000f00
    • Sven Eckelmann's avatar
      batman-adv: Reduce tt_local hash refcnt only for removed entry · ddb84b0f
      Sven Eckelmann authored
      [ Upstream commit 3d65b9accab4a7ed5038f6df403fbd5e298398c7 ]
      
      The batadv_hash_remove is a function which searches the hashtable for an
      entry using a needle, a hashtable bucket selection function and a compare
      function. It will lock the bucket list and delete an entry when the compare
      function matches it with the needle. It returns the pointer to the
      hlist_node which matches or NULL when no entry matches the needle.
      
      The batadv_tt_local_remove is not itself protected in anyway to avoid that
      any other function is modifying the hashtable between the search for the
      entry and the call to batadv_hash_remove. It can therefore happen that the
      entry either doesn't exist anymore or an entry was deleted which is not the
      same object as the needle. In such an situation, the reference counter (for
      the reference stored in the hashtable) must not be reduced for the needle.
      Instead the reference counter of the actually removed entry has to be
      reduced.
      
      Otherwise the reference counter will underflow and the object might be
      freed before all its references were dropped. The kref helpers reported
      this problem as:
      
        refcount_t: underflow; use-after-free.
      
      Fixes: ef72706a ("batman-adv: protect tt_local_entry from concurrent delete events")
      Signed-off-by: 's avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: 's avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      ddb84b0f
    • Sven Eckelmann's avatar
      batman-adv: Reduce claim hash refcnt only for removed entry · d8e291ae
      Sven Eckelmann authored
      [ Upstream commit 4ba104f468bbfc27362c393815d03aa18fb7a20f ]
      
      The batadv_hash_remove is a function which searches the hashtable for an
      entry using a needle, a hashtable bucket selection function and a compare
      function. It will lock the bucket list and delete an entry when the compare
      function matches it with the needle. It returns the pointer to the
      hlist_node which matches or NULL when no entry matches the needle.
      
      The batadv_bla_del_claim is not itself protected in anyway to avoid that
      any other function is modifying the hashtable between the search for the
      entry and the call to batadv_hash_remove. It can therefore happen that the
      entry either doesn't exist anymore or an entry was deleted which is not the
      same object as the needle. In such an situation, the reference counter (for
      the reference stored in the hashtable) must not be reduced for the needle.
      Instead the reference counter of the actually removed entry has to be
      reduced.
      
      Otherwise the reference counter will underflow and the object might be
      freed before all its references were dropped. The kref helpers reported
      this problem as:
      
        refcount_t: underflow; use-after-free.
      
      Fixes: 23721387 ("batman-adv: add basic bridge loop avoidance code")
      Signed-off-by: 's avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: 's avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      d8e291ae